Design and Analysis of Distributed Interacting Systems

Similar documents
Formal Methods in Software Engineering

CS 267: Automated Verification. Lecture 8: Automata Theoretic Model Checking. Instructor: Tevfik Bultan

Lecture 9: LTL and Büchi Automata

Convert the NFA into DFA

Software Engineering using Formal Methods

Minimal DFA. minimal DFA for L starting from any other

Regular expressions, Finite Automata, transition graphs are all the same!!

Automata Theory 101. Introduction. Outline. Introduction Finite Automata Regular Expressions ω-automata. Ralf Huuck.

CS103B Handout 18 Winter 2007 February 28, 2007 Finite Automata

1 Nondeterministic Finite Automata

AUTOMATA AND LANGUAGES. Definition 1.5: Finite Automaton

Chapter 2 Finite Automata

Chapter Five: Nondeterministic Finite Automata. Formal Language, chapter 5, slide 1

Designing finite automata II

CSCI 340: Computational Models. Kleene s Theorem. Department of Computer Science

Nondeterminism and Nodeterministic Automata

CS 373, Spring Solutions to Mock midterm 1 (Based on first midterm in CS 273, Fall 2008.)

Formal Languages and Automata

CS415 Compilers. Lexical Analysis and. These slides are based on slides copyrighted by Keith Cooper, Ken Kennedy & Linda Torczon at Rice University

CMPSCI 250: Introduction to Computation. Lecture #31: What DFA s Can and Can t Do David Mix Barrington 9 April 2014

First Midterm Examination

Java II Finite Automata I

Theory of Computation Regular Languages. (NTU EE) Regular Languages Fall / 38

Non-Deterministic Finite Automata. Fall 2018 Costas Busch - RPI 1

Assignment 1 Automata, Languages, and Computability. 1 Finite State Automata and Regular Languages

Grammar. Languages. Content 5/10/16. Automata and Languages. Regular Languages. Regular Languages

Types of Finite Automata. CMSC 330: Organization of Programming Languages. Comparing DFAs and NFAs. Comparing DFAs and NFAs (cont.) Finite Automata 2

Theory of Computation Regular Languages

CMSC 330: Organization of Programming Languages

12.1 Nondeterminism Nondeterministic Finite Automata. a a b ε. CS125 Lecture 12 Fall 2016

Types of Finite Automata. CMSC 330: Organization of Programming Languages. Comparing DFAs and NFAs. NFA for (a b)*abb.

Anatomy of a Deterministic Finite Automaton. Deterministic Finite Automata. A machine so simple that you can understand it in less than one minute

5. (±±) Λ = fw j w is string of even lengthg [ 00 = f11,00g 7. (11 [ 00)± Λ = fw j w egins with either 11 or 00g 8. (0 [ ffl)1 Λ = 01 Λ [ 1 Λ 9.

Lecture 08: Feb. 08, 2019

First Midterm Examination

Chapter 1, Part 1. Regular Languages. CSC527, Chapter 1, Part 1 c 2012 Mitsunori Ogihara 1

Introduction to ω-autamata

FABER Formal Languages, Automata and Models of Computation

Non Deterministic Automata. Linz: Nondeterministic Finite Accepters, page 51

Formal Language and Automata Theory (CS21004)

Finite Automata. Informatics 2A: Lecture 3. John Longley. 22 September School of Informatics University of Edinburgh

Finite Automata-cont d

Finite Automata Theory and Formal Languages TMV027/DIT321 LP4 2018

Tutorial Automata and formal Languages

CHAPTER 1 Regular Languages. Contents

1. For each of the following theorems, give a two or three sentence sketch of how the proof goes or why it is not true.

This lecture covers Chapter 8 of HMU: Properties of CFLs

Kleene s Theorem. Kleene s Theorem. Kleene s Theorem. Kleene s Theorem. Kleene s Theorem. Kleene s Theorem 2/16/15

CSCI 340: Computational Models. Transition Graphs. Department of Computer Science

Homework 3 Solutions

Scanner. Specifying patterns. Specifying patterns. Operations on languages. A scanner must recognize the units of syntax Some parts are easy:

Intermediate Math Circles Wednesday, November 14, 2018 Finite Automata II. Nickolas Rollick a b b. a b 4

More on automata. Michael George. March 24 April 7, 2014

Non-deterministic Finite Automata

Let's start with an example:

12.1 Nondeterminism Nondeterministic Finite Automata. a a b ε. CS125 Lecture 12 Fall 2014

CHAPTER 1 Regular Languages. Contents. definitions, examples, designing, regular operations. Non-deterministic Finite Automata (NFA)

4 Deterministic Büchi Automata

Fundamentals of Computer Science

Finite-State Automata: Recap

From LTL to Symbolically Represented Deterministic Automata

Automata and Languages

NFAs continued, Closure Properties of Regular Languages

Regular Expressions (RE) Regular Expressions (RE) Regular Expressions (RE) Regular Expressions (RE) Kleene-*

Finite state automata

Lexical Analysis Finite Automate

CS 310 (sec 20) - Winter Final Exam (solutions) SOLUTIONS

1.4 Nonregular Languages

Formal languages, automata, and theory of computation

Coalgebra, Lecture 15: Equations for Deterministic Automata

NFAs continued, Closure Properties of Regular Languages

a,b a 1 a 2 a 3 a,b 1 a,b a,b 2 3 a,b a,b a 2 a,b CS Determinisitic Finite Automata 1

Converting Regular Expressions to Discrete Finite Automata: A Tutorial

Speech Recognition Lecture 2: Finite Automata and Finite-State Transducers

Lexical Analysis Part III

State Minimization for DFAs

CISC 4090 Theory of Computation

3 Regular expressions

Section: Other Models of Turing Machines. Definition: Two automata are equivalent if they accept the same language.

80 CHAPTER 2. DFA S, NFA S, REGULAR LANGUAGES. 2.6 Finite State Automata With Output: Transducers

Deterministic Finite Automata

Non-Deterministic Finite Automata

11.1 Finite Automata. CS125 Lecture 11 Fall Motivation: TMs without a tape: maybe we can at least fully understand such a simple model?

CS 275 Automata and Formal Language Theory

The University of Nottingham SCHOOL OF COMPUTER SCIENCE A LEVEL 2 MODULE, SPRING SEMESTER LANGUAGES AND COMPUTATION ANSWERS

CS 275 Automata and Formal Language Theory

Non-deterministic Finite Automata

Finite Automata. Informatics 2A: Lecture 3. Mary Cryan. 21 September School of Informatics University of Edinburgh

Model Reduction of Finite State Machines by Contraction

1. For each of the following theorems, give a two or three sentence sketch of how the proof goes or why it is not true.

On Determinisation of History-Deterministic Automata.

CS 330 Formal Methods and Models

CS 301. Lecture 04 Regular Expressions. Stephen Checkoway. January 29, 2018

Hybrid Control and Switched Systems. Lecture #2 How to describe a hybrid system? Formal models for hybrid system

Compiler Design. Fall Lexical Analysis. Sample Exercises and Solutions. Prof. Pedro C. Diniz

SWEN 224 Formal Foundations of Programming WITH ANSWERS

In-depth introduction to main models, concepts of theory of computation:

NFA DFA Example 3 CMSC 330: Organization of Programming Languages. Equivalence of DFAs and NFAs. Equivalence of DFAs and NFAs (cont.

Homework 4. 0 ε 0. (00) ε 0 ε 0 (00) (11) CS 341: Foundations of Computer Science II Prof. Marvin Nakayama

CS S-12 Turing Machine Modifications 1. When we added a stack to NFA to get a PDA, we increased computational power

Transcription:

Design nd Anlysis of Distriuted Intercting Systems Lecture 6 LTL Model Checking Prof. Dr. Joel Greenyer My 16, 2013

Some Book References (1) C. Bier, J.-P. Ktoen: Principles of Model Checking. The MIT Press, 2008. E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press, 2000. 2

Some Book References (2) J. Mgee, J. Krmer: Concurrency: Stte Models nd Jv Progrms. John Wiley & Sons, 2nd Edition, 2006. B. Bérrd, M. Bidoit, A. Finkel, F. Lroussinie, A. Petit, L. Petrucci, Ph. Schnoeelen, P. McKenzie: Systems nd Softwre Verifiction Model-Checking Techniques. Springer-Verlg, 2001. 3

Some Book References (3) Stephn Kleuker: Formle Modelle der Softwreentwicklung: Model- Checking, Verifiktion, Anlyse und Simultion. Vieweg+Teuner Verlg, 2009. G.J. Holzmnn: The SPIN model checker - Primer nd Reference Mnul. Addison Wesley, 2004. 4

Some Book References (4) Klus Pohl: Requirements Engineering. dpunkt.verlg GmH, 2nd edition, 2008. Axel vn Lmsweerde: Requirements Engineering: From System Gols to UML Models to Softwre Specifictions. John Wiley & Sons, 2009. 5

Lst Time: Promel nd Spin mtype = {press, hold}; chn c = [0] of { mtype }; ctive proctype switch(){ RELEASED: if :: c!press; goto PRESSED fi; PRESSED: if :: c!hold; goto PRESSED :: goto RELEASED fi; } (this is possile pttern to model stte mchines in Promel) ctive proctype light(){ OFF: if :: c?press; goto LOW fi; LOW: if :: c?press; goto OFF :: c?hold; goto HIGH fi; HIGH: if :: c?press; goto OFF :: c?hold; goto LOW fi; } 6

Spin Verifiction more Techniclly... 1 yte x, y; 2 ctive proctype mini(){ 3 do 4 :: (x < 2) -> 5 x++ 6 :: (y < 2) -> 7 y++ 8 :: else -> 9 rek 10 od 11 } Promel model C progrm Output -4:-4:-4 1:1:17 2:1:23 3:0:0 4:1:17 5:0:4 6:1:21 7:1:23 Spin settings Error Trce 7

Spin Models nd Kripke Structures A Spin model cn e trnslted to Kripke Structure dt types, chnnels, mx. no. of processes is finite Spin cn do n exhustive nlysis of the corresponding KS Spin constructs KS on-the-fly, i.e., sometimes it finds results without constructing the complete KS 1 yte x, y; 2 ctive proctype mini(){ 3 do 4 :: (x < 2) -> 5 x++ 6 :: (y < 2) -> 7 y++ 8 :: else -> 9 rek 10 od 11 } (_, 3, 0, 0) x<2 y<2 (0, 5, 0, 0) (0, 7, 0, 0) x++ y++ (0, 3, 1, 0) (0, 3, 0, 1)... x<2 y<2 (0, 5, 0, 1)... (0, 7, 0, 1)... 8

... #define trinoncrossing 3 #define croncrossing 2... Assertions ctive proctype trin(){ yte stte;... } ctive proctype cr(){ yte stte;... } during the exhustive stte spce explortion during model checking, ll possile interlevings of the other processes nd executing this ssertion will e checked when is this ssertion executed? ctive proctype Inv(){ ssert(!(trin:stte == trinoncrossing && cr:stte == croncrossing)) } 9

Verify LTL Properties mtype = {press, hold}; chn c = [0] of { mtype }; ctive proctype switch(){ RELEASED: if :: c!press; goto PRESSED fi; PRESSED: if :: c!hold; goto PRESSED :: goto RELEASED fi; } [] stnds for G (lwys), <> stnds for F (eventully),! is ctive proctype light(){ OFF: if :: c?press; goto LOW fi; LOW: if :: c?press; goto OFF :: c?hold; goto HIGH fi; HIGH: if :: c?press; goto OFF :: c?hold; goto LOW fi; } ltl p0 {[]<> light@low} ltl p1 {[]<> light@high} 10

Never-Clim Sequence of Boolen expressions over vriles in the model tht must never hppen Simple exmple: yte x = 3; ctive proctype P(){ x = 1; } never{ x == 3; x == 1 } The never-clim reches its end nd the verifiction will thus report violtion. 11

Never-Clim... ctive proctype light(){ OFF: if :: c?press; goto LOW fi; LOW: if :: c?press; goto OFF :: c?hold; goto HIGH fi; HIGH: if :: c?press; goto OFF :: c?hold; goto LOW fi; } never { true; light@low; true; light@high; } I didn't explin this thoroughly. 12

Never-Clims Why should I other? If I know how to specify interesting properties in LTL, why should I other progrmming never-clims? Spin checks LTL properties y first converting them to neverclims understnding never-clims helps understnding how Spin checks LTL properties Never-clims re more verose thn LTL formule, ut they re lso more powerful e.g., you cn count (up to finite numers) in never-clims 13

The Never Clim Checking Process Initilizing glol vriles Initilize init nd ctive processes [never-clim terminted] counter-exmple found Initilize locl process vriles [never-clim not terminted] [model cnnot mke step] [never-clim cn mke step] never-clim mkes step [never-clim cnnot mke step] no counter-exmple model mkes step [model cn mke step] [no cceptcycle found] [ccept-cycle found] counter-exmple found dopted from: Stephn Kleuker: Formle Modelle der Softwreentwicklung: Model-Checking, Verifiktion, Anlyse und Simultion. Vieweg+Teuner Verlg, 2009. 14

... 2. model mkes step (light@low) ctive proctype light(){ OFF: if :: c?press; goto LOW fi; LOW: if :: c?press; goto OFF :: c?hold; goto HIGH fi; HIGH: if :: c?press; goto OFF :: c?hold; goto LOW fi; } Never-Clim never { true; light@low; true; light@high; } 4. model mkes step (switch@released, not shown here) 6. model mkes step (light@high) 1. true cn lwys mke step (light@off) 3. Cn now mke this step 5. Mkes step 7. Mkes step nd termintes, never clim violted. 15

Another Never-Clim Exmple Lels of the form ccept[-za-z0-9_]* mrk cceptnce cycles it must not e possile to visit these lels infinitely often Wht is specified here? Non-determinisit choice rememer: ll possiilities will e explored during verifiction run. T0_init: if :: (! light@low) -> goto ccept_s4 :: true -> goto T0_init fi; ccept_s4: if :: (! light@low) -> goto ccept_s4 fi; } 16

Design nd Anlysis of Distriuted Intercting Systems Lecture 6 LTL Model Checking Prof. Dr. Joel Greenyer My 16, 2013

Model-Checking modify Model (Kripke structure) flse + counter exmple (how the specifiction cn e violted) Model Checking true Specifiction (LTL) 18

Automt-sed LTL Model Checking There re different techniques for checking LTL properties i.e. checking whether M φ One is sed on Büchi Automt (BA) utomt tht ccept infinite words Approch: (Be M Kripke structure over AP) iff iff iff iff M φ L(M) L(φ) L(M) ((2 AP ) ω \ L(φ)) = L(M) L( φ) = L(B M B φ ) = Wht we need: 1. Checking emptyness of the lnguge ccepted y BA 2. Product construction for BAs 3. Represent KS s BA 4. Represent LTL formul s BA 19

Agend 1. Introduce Büchi Automt 2. Checking emptyness of the lnguge ccepted y BA 3. Product construction for BAs 4. Represent KS s BA 5. Represent LTL formul s BA 20

Büchi Automt A Büchi utomton is tuple BA = (Q, Σ, T, I, F) in which Q is finite, non-empty set of sttes Σ is finite lphet T Q Σ Q is trnsition reltion I Q is set of initil stte F Q is set of finl sttes (lso clled ccepting sttes) (Syntcticlly the sme s finite-stte utomton) An infinite word π Σ ω is ccepted y BA iff the BA hs corresponding run ( pth strting from n initil stte), tht infinitely often visits finl sttes. Such run is lso clled n ccepting run Exmple: Infinitely often, Σ = {, } 21

Büchi Automt There re other kinds of utomt for infinite words Rin utomt Muller utomt Street utomt they ll ccept the clss of ω-regulr lnguges Note: Not ll lnguges ccepted y non-deterministic Büchi utomton re ccepted y deterministic one exmple: words with finitely mny s cnnot e represented y deterministic BA, 22

Agend 1. Introduce Büchi Automt ( ) 2. Checking emptyness of the lnguge ccepted y BA 3. Product construction for BAs 4. Represent KS s BA 5. Represent LTL formul s BA 23

Checking Emptyness An ccepting run must visit t lest one ccepting stte infinitely often How do we determine the existence of n ccepting run? An ccepting stte must thus pper in cycle rechle from strt stte. 24

Find Accepting Runs SCC-Bsed Approch Compute ll strongly connected components (SCCs) Check whether non-trivil SCC contins n ccepting stte nd whether it is rechle from strt stte Def.: Sttes C Q form strongly connected component iff for ll q, q' C: q is rechle from q' There is no C' C for which this is true (C is mximl) An SCC is trivil iff C = 1 nd for q C: (q, σ, q) T, σ Σ non-trivil SCCs? Trjn's lgorithm, liner in the size of the grph, rechiliy s well, thus overll: Ο( Q + T ) 25

Find Accepting Runs Another Ide: DFS Strt depth first serch from n initil stte of the BA rememer DFS: uses stck for cktrcking when from stte q n edge is found to stte q' tht is currently on the stck, cycle is found the cycle is long the sttes on the stck from of q' to q If one of these sttes is ccepting, there is n ccepting run long the stte on the stck, nd then repeting in the cycle An edge to stte on the stck is clled ckwrd edge If DFS finds no ckwrd edges, then the BA is cyclic Prolem: When we find cycle, we must lwys check if it contins n ccepting stte this is expensive, we re not nymore liner in the size of the utomton. 26

Find Accepting Runs Nested DFS Ide: Two DFSs, clled lue (outer) nd red (inner) DFS ech DFS visits stte t most once, coloring it lue/red Strt lue DFS from strt stte if lue DFS finds n ccepting stte q, strt red DFS from q if red DFS finds non-empty pth from q to q, report cycle, n ccepting run is found: current stck of lue DFS + cycle otherwise continue lue DFS (from q) 27

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 28

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 29

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 30

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 31

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 32

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 33

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 34

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 35

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 36

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 37

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 38

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 39

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 40

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 41

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 42

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 43

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 44

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 45

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 46

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 47

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 48

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 49

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 50

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; report cycle! q' = seed 51

Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); seed procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; lterntive: report cycle erlier, when dfs_red() encounters stte tht is on dfs_lue() stck requires extr dt structure for tht stck. 52

SCC-sed- vs. Nested DFS Approch SCC-sed pproch: finds shorter ccepting runs why is this good? Good ecuse these re the counter-exmples tht help us understnd how property is violted Nested DFS pproch: etter suited for on-the-fly emptyness checks BA is constructed while exploring it ccepting runs my e found efore whole BA is explored/constructed Spin uses modified version of the Nested DFS lgorithm see: G. J. Holzmnn, D. A. Peled, nd M. Ynnkkis. On nested depth first serch. In Proc. 2nd SPIN Workshop, pges 23 32, 1996. Further work on efficient emptyness checking see: A. Giser, S. Schwoon: Comprison of Algorithms for Checking Emptiness on Büchi Automt. Proc. of Workshop on Mthemticl nd Engineering Methods in Computer Science, MEMICS 2009. 53

Agend 1. Introduce Büchi Automt ( ) 2. Checking emptyness of the lnguge ccepted y BA ( ) 3. Product construction for BAs 4. Represent KS s BA 5. Represent LTL formul s BA 54

Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y visited ccepting stte of first BA visiting lso ccepting stte of second BA reset counter keep vlue of counter from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press, 2000. 55

Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1 off r 2 q 1 off q 2 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press, 2000. 56

Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,? r 1 off r 2 q 1 off q 2 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press, 2000. 57

Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 1 off r 2 q 1 off q 2 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press, 2000. 58

Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 1 off r 2 q 1 off q 2 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press, 2000. 59

Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 1 off r 2 q 1 off q 2 r 2,q 1,2,? from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press, 2000. 60

Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 1 off r 2 q 1 off q 2 r 2,q 1,2 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press, 2000. 61

Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 1 off r 2 q 1 off q 2 ll sttes with 2 s the third r 2,q 1,2 component re ccepting from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press, 2000. 62

Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 2,q 1,0 r 1 off r 2 q 1 off q 2 r 2,q 1,2 r 1,q 2,0 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press, 2000. 63

Agend 1. Introduce Büchi Automt ( ) 2. Checking emptyness of the lnguge ccepted y BA ( ) 3. Product construction for BAs ( ) 4. Represent KS s BA 5. Represent LTL formul s BA 64

Represent Kripke Structure s Büchi Automton This is quite simple n exmple: {p, q} {p} {p, q} off {p} {p} {p,q} {q} {q} {p,q} from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press, 2000. 65

Specil Cse for BA Product Construction Product construction cn e simplified if ll sttes of one utomton re ccepting In the cse ll sttes of the utomton of the modeled system re ccepting Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) if F 1 = Q 1, then B 1 B 2 is defined s follows: B 1 B 2 = (Q 1 Q 2, Σ, T, I 1 I 2, Q 1 F 2 ) we hve ((r i, q j ), σ, (r m, q n )) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 ccepting where second utomton is ccepting oth utomt gree on trnsition, s usul 66

Agend 1. Introduce Büchi Automt ( ) 2. Checking emptyness of the lnguge ccepted y BA ( ) 3. Product construction for BAs ( ) 4. Represent KS s BA ( ) 5. Represent LTL formul s BA next time (in two weeks) 67

ICSE nd SEAMS 2013 68

Our Pper t SEAMS chnge in requirements or environment ssumptions Specifiction S is implemented y (ssumption or requirement MSDs dded or removed) updtle sttes Specifiction S' utomted synthesis dded updte trnsitions ++ ++ current controller (c) removed trnsitions remins of the current controller ( c-prt ) ++ ++ ++ ++ ++ dded controller for implementing S' ( c'-prt ) dynmiclly updting controller ++ ++ ++ ++ ++ ++ ++ see http://jgreen.de/wp-content/documents/2013/pnzic-greenyer-ghezzi-renner-studyingadditionlcriteriofdynmicupdtes-seams2013.pdf 69

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback